Bug#740162: marked as done (mod_authnz_ldap: no error.log feedback about LDAP TLS issues such as cert expiry, cipher mismatch, etc)
Your message dated Sat, 24 Oct 2015 22:11:38 +0200
with message-id <3209746.kpFihs4yoB@k>
and subject line mod_authnz_ldap: no error.log feedback about LDAP TLS issues such as cert expiry, cipher mismatch, etc
has caused the Debian Bug report #740162,
regarding mod_authnz_ldap: no error.log feedback about LDAP TLS issues such as cert expiry, cipher mismatch, etc
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)
--
740162: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740162
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: mod_authnz_ldap: no error.log feedback about LDAP TLS issues such as cert expiry, cipher mismatch, etc
- From: Daniel Pocock <daniel@pocock.pro>
- Date: Wed, 26 Feb 2014 14:32:57 +0100
- Message-id: <530DED09.4050009@pocock.pro>
Package: apache2.2-bin
Version: 2.2.22-13+deb7u1
Apache is authenticating users against an LDAP server.
An ldaps:// URL is used, e.g.
AuthLDAPURL "ldaps://ldap.example.org/dc=example,dc=org"
When the LDAP server SSL cert expires, access to the protected URLs
fails with 500 "Internal Server Error" and tells the user to check the
server's error log
There is nothing in error.log to indicate that the fault is with LDAP or
TLS - nothing in error.log at all. For this situation, there should be
an error log entry complaining that the LDAP server certificate is expired.
After updating the cert and restarting slapd it is still not working
though and there is still nothing in error.log
tcpdump shows that there are attempts to contact the LDAP server. The
client hello packet is sent to the server using SSL 3.0 and there is no
response, the server just drops the connection.
Connecting to the server with openssl s_client works as expected and the
cert is verified.
Looking more closely, I found that
a) the new LDAP server certificate was signed with SHA512
b) libgnutls26 seems to have bugs with that (see also Debian bug 740160)
c) in this case, there is little that mod_authnz_ldap can do but it
would still be very helpful if it logged something to error.log to say
that the LDAP server unexpectedly dropped the connection during the TLS
handshake
Just to clarify, when I originally saw the "Internal Server Error" I had
no idea it was even an LDAP issue - my first thought was that the fault
was in the CGI script I was trying to access and I started trying to
debug the script. This is why I think there should be logging about
these TLS issues.
--- End Message ---
--- Begin Message ---
- To: 740162-done@bugs.debian.org
- Subject: mod_authnz_ldap: no error.log feedback about LDAP TLS issues such as cert expiry, cipher mismatch, etc
- From: Stefan Fritsch <sf@sfritsch.de>
- Date: Sat, 24 Oct 2015 22:11:38 +0200
- Message-id: <3209746.kpFihs4yoB@k>
version: 2.4.1-1
Logging in mod_*ldap has been greatly improved in 2.4, but the fixes
won't be backported to 2.2/wheezy. Therefore I am closing this report.
If you have any complaints about ldap logging in 2.4, please open a
new report.
Cheers,
Stefan
--- End Message ---
Reply to: